Categories

Archive for October, 2005

Tired of using OpenSSL and editing weird configuration files just to create a certificate?

Fortunately there is an easier way with the advantage of using an already used system: Since version 1.9.18, GnuPG is a able to create certificate requests for servers; due to a bug in the export command, it is however suggested to use version 1.9.19.

Here is a brief run up on how to create a server certificate. It has actually been done this way to get a certificate from CAcert to be used on a real server. It has only be tested with this CA, but there shouldn’t be any problem to run this against any other CA.

Before you start, make sure that gpg-agent is running; see the manual on how to do this (“info gnupg”). As there is no need for a configuration file, you may simply enter:

I opted for creating a new RSA key. The other option is to use an already existing key, by selecting “2″ and entering the so-called keygrip. Running "gpgsm --dump-secret-key USERID" will show you this keygrip.

Let’s continue:

Key length [1] 1024 [2] 2048 Your selection: 1 You selected: 1024

The script offers just two common key sizes. With the current setup of CAcert, it does not make much sense to use a 2k key; their policies need to be revised anyway (a CA root key valid for 30 years is not really serious).

We want to sign and encrypt using this key. This is just a suggestion and the CA may actually assign other key capabilities.

Now for some real data:

Name (DN) > CN=kerckhoffs.g10code.com

This is the most important value for a server certificate. Enter here the canonical name of your server machine. You may add other virtual server names later.

E-Mail addresses (end with an empty line) >

We don’t need email addresses in a server certificate and CAcert would anyway ignore such a request. Thus just hit enter.

If you want to create a client certificate for email encryption, this would be the place to enter your mail address (e.g. joe@example.org). You may enter as many addresses as you like, however the CA may not accept them all or reject the entire request.

DNS Names (optional; end with an empty line) > www.g10code.com DNS Names (optional; end with an empty line) > ftp.g10code.com DNS Names (optional; end with an empty line) >

Here I entered the names of the servers which actually run on the machine given in the DN above. The browser will accept a certificate for any of these names. As usual the CA must approve all of these names.

URIs (optional; end with an empty line) >

It is possible to insert arbitrary URIs into a certificate; for a server certificate this does not make sense.

We have now entered all required information and gpgsm will display what it has gathered and ask whether to create the certificate request:

gpgsm will now start working on creating the request. As this includes the creation of an RSA key, it may take a while. During this time you will be asked 3 times for a passphrase to protect the created private key on your system. A pop up window will appear to ask for it. The first two prompts are for the new passphrase and to re-enter it; the third one is required to actually create the certificate request.

You may now proceed by logging into your account at the CAcert website, choose “Server Certificates – New”, check “sign by class 3 root certificate”, paste the above request block into the text field and click on “Submit”.

If everything works out fine, a certificate will be shown. Now run

$ gpgsm --import

and paste the certificate from the CAcert page into your terminal followed by a Ctrl-D

gpgsm tells you that it has imported the certificate. It is now associated with the key you used when creating the request. The root certificate has not been found, so you may want to import it from the CACert website.

I used “-K” above because this will only list certificates for which a private key is available. To see more details, you may use “–dump-secret-keys” instead of “-K”. The output has been created using the current CVS version of GnuPG 1.9; older versions won’t show the dns-names.

To make actual use of the certificate you need to install it on your server. Server software usally expects a PKCS#12 file with key and certificate. To create such a file, run:

$ gpgsm --export-secret-key-p12 -a >kerckhoffs-cert.pem

You will be asked for the passphrase as well as for a new passphrase to be used to protect the pkcs#12 file. The file now contains the certificate as well as the private key:

Due to my work with smart cards I recently came across a little pet project named SmartChess which succeeded to implement chess software on a smart card. If you are interested in chess and very small CPUs you might want to have a look at it.

It is not pure coincedence that I noticed this project: Achim actually helped me to get the smart card support for GnuPG going by writing up a spec, answering numerous questions of mine, testing and actually providing cards.

Some may wonder why there is not much progress on GnuPG. Well, David is working a lot on it and I am working on a related project: gpg4win – which eventualy will be a win for folks required to use that proprietary OS from Microsoft.

Frankly, it is not a big deal as it merely collects existing applications and provides a framework for easy building a complete and easy to use installer with parts like gpg, WinPT, GPA, GPGee, GPGol and so on. The goal is that you will be able to run a

./configure --host=i586-mingw32msvc && make

and 2 NSIS based installer packages are generated: One to get the whole thing onto your Windows box and the other one just for installing the source package to comply with the terms of the GPL. We will also overhaul the 2 German manuals from the unmaintained GnuPP project.

If you are interested in the development process, checkout this Gforge site.